This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using command line. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.
NOTE: Before generating a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key. You will have to replace the SSL Certificate.
For more information about selecting signature algorithm in ikeyman please refer to the IBM website
NOTE: To generate a CSR using the IKEYMAN GUI, follow the steps from this link.
Step 1: Prepare your system
- Use the gsk7cmd command to create and sign the certificates. Run the gsk7cmd for a full list of the parameters you can use on the command:
- Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
- Ensure that the user's path contains /usr/bin.
- Set the JAVA_HOME environment variable:
a) AIX: export JAVA_HOME =/usr/mqm/ssl/jre
b) HP-UX: export JAVA_HOME =/opt/mqm/ssl
c) Linux: export JAVA_HOME =/opt/mqm/ssl/jre
d) Solaris: export JAVA_HOME =/opt/mqm/ssl
Step 2: Create a Keystore
- Run the following command to create a key repository
gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash
runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash
- -db filename is the fully qualified name of a CMS key database, for example: dbkey.kdb
- -pw password is the password for the CMS key database, with an extension .cms.
- -type cms is the type of database.
- -expire days is the expiration time in days of the database password. The default is 60 days.
- -stash tells iKeycmd to stash the key database password to a file
NOTE: On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary
to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set
to give access only to the user ID from which you used iKeyman or iKeycmd.
Step 3: Generate a CSR
NOTE: All certificates that will expire after December 2013 must have a 2048 bit key size.
- The CSR needs to contain the following Distinguished Name :
- Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
- State or Province (S): Enter the full name of your state or province.
Note: Make sure the State or Province is not abbreviated (e.g. California).
- Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
- Organization (O): The full legal name of your company.
- Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
- Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
Please do not enter an email address, challenge password or an optional company name when generating the CSR.
- To generate a CSR, run the following command:
gsk7cmd -certreq -create -db -pw -label -dn "CN=My Queue Manager,O=My Company,C=UK" -size -file
runmqckm -certreq -create -db -pw -label -dn "CN=My Queue Manager,O=My Company,C=UK" -size -file
- -db is the fully qualified name of a CMS key database, for example: dbkey.kdb
- -pw is the password for the CMS key database, with an extension .cms.
- -label is the key label attached to the certificate, for example: "ibmwebspheremqqmname"
- -dn is the X.509 distinguished name enclosed in double quotes, for example: "CN=My Queue Manager,
- -size is the key size. The value must be 2048 bits.
- -file is the filename for the certificate request, for example: QMNAME_request.arm
- The file you created contains the CSR.
- Use our tool to Verify the CSR.
- Proceed with Enrolment
Once the SSL certificate has been issued, follow the steps from this link to install it on the server.
For more information refer to IBM documentation